What is GDPR?

GDPR stands for the General Data Protection Regulation. It replaces the Data Protection Directive created in 1995 when the internet as we know it today was just getting started. GDPR gives stronger rights of the “Data Subject” (person) for control over their data and consolidates the regulations within the European Union (EU).

According to the official site of the GDPR, the regulation was designed “…to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Data has no regional borders in today’s connected world, so GDPR affects organizations worldwide who offer services/products or a website to users in the EU.

GDPR sets the regulations for collecting personal data. Personal Data is any information which can identify the person, including name, identification number, location data or online identifier.

The GDPR affects how people and businesses who collect data will be able to store, use and distribute this data. To be compliant with GDPR, organizations must include the following or face penalties. There is a tiered approach to fines under GDPR based on the seriousness of the infringement, capping out with fines up to 4% of annual growth or €20 million, whichever is greater.

  • Confirm Consent to data collection – person must agree to collection of their personal information
  • Build in privacy setting and have them switched on by default - person must opt in to data collection
  • Disclose data use policy – Privacy policy must be available and updated on an ongoing basis
  • Data Storage - personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately
  • Erase personal data upon request – also known as Data Erasure or the right to be forgotten
  • Data portability - requestors can have their data sent to them or even transmitted to another data controller
  • Breach notification: Businesses and data processors will be required to notify all member states within 72 hours of awareness of the breach.

Simply put, this means companies will now be required to build in privacy settings into their digital products and websites – and have them switched on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches.

The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). The exception to the rule is when the chosen internal communication and collaboration tool secures all data with end-to-end encryption as the service provider does not then get access to any customer data.

However, there are slightly different rules for small businesses – companies that have fewer than 250 employees and don’t process data frequently will not be bound by the regulations as rigorously as big companies (for more details, you should get familiar with Article 30 of GDPR: https://gdpr-info.eu/art-30-gdpr/)

How does PassagePoint comply with GDPR requirements
PassagePoint is on premise software, therefore compliance with GDPR is up to the organization that purchases PassagePoint and collects and stores visitor data. However, PassagePoint has built in features that allow an organization to comply with privacy regulations as follows:

Confirm Consent to data collection and data use policy
Agreements in PassagePoint allow an organization to present a Consent form and Privacy Policy to the visitor before they sign in to the facility.

PassagePoint can be configured to extract only desired information from an ID scan. The extracted data from an ID (driver license, passport, military ID, etc.) is determined by your organization based on your policies; Personally Identifiable Information (PII) does not have to be extracted. Visitor information can be captured, masked, or ignored based on your configuration in the software. ALL visitor information is encrypted in transit and retained in the database on your secure network.

Erase personal data
PassagePoint includes data retention policies which allow the organization to determine how long they keep visitor information and can automatically delete it after a specified amount of time. PassagePoint also includes the ability to delete specific visitor information, if requested to do so by the visitor.